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DETAILED ACTION 

1 . Claims 21 , 22, 24-28, and 31 -51 are pending. 
Claims 1-20, 23, and 29-30 are cancelled. 



Claim Rejections - 35 USC §101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or 
composition of matter, or any new and useful improvement thereof, may obtain a patent 
therefor, subject to the conditions and requirements of this title. 

2. Claims 43-51 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

Claims 43-51 recites a machine-readable storage medium. Specification does 
not clearly distinct what the machine-readable storage medium does or does 
not encompass. Specification on pg. 22-23 [0064], discloses As used herein, 
the term "machine-readable medium" refers to any medium or device used to 
provide machine instructions and/or data to the machine 600. Examples 
include the medium 635, the memory 620, and/or PLDs, FPGAs, ASICs, and 
the like. The term "machine-readable signal" refers to any signal, such as the 
signals 654, used to provide machine instructions and/or data to the machine 
600. The specification defines "machine-readable medium" and "machine- 
readable signal" while the claim is to "machine-readable storage medium", 
which is not discussed in the portions you cited. Absent a definition in the 
spec, "machine-readable storage medium" could be a signal, thus is directed 
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towards signal per se. Neither claims nor specification limits the storage 
medium as only non-transitory nor the disavow of signals for the storage 
medium. Therefore, claims 43-51 are directed to signal per se. 

Response to Arguments 

3. Applicant's arguments filed 2/19/10 have been fully considered but they 
are not persuasive. 

Examiner traverses the argument on pg.9-10, which Flowers does not 
teach or suggest claim 2 1 since the present invention uses application-specific 
intrusion signatures contrary to using query based rules to describe 
vulnerabilities and intrusions. Flowers disclose in the background that in 
vulnerability detection systems and intrusion detection systems, security 
engineers need to know what types of attack signatures to look for, how to look 
for them and how to respond to an identified attack (col.l, lines 49-53). 
Flowers further discusses assigns a reflex signature TO a template type (col. 5, 
lines 53-55) and each rule is associated with a particular vulnerability ID 
which can be numerical or a name. Thus, Flowers suggests the use of 
signatures in intrusion detection and that signatures (application-specific 
intrusion) are well-known in the art prior of vulnerability intrusion detection 
systems. 

Applicant further argues on pg.10 (3 rd paragraph), that Naccache 
disclosing to examine a set of instructions does not solve the deficiencies of 
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Flowers because Naccache does not teach application- specific intrusion 
signatures. Flowers being the primary prior art discloses the claimed 
application-specific intrusion signatures when specified application is detected 
where the application ID being a qualifier identifying a particular application 
(col. 6, lines 47-col.7, line 21). Flowers further discusses assigns a reflex 
signature TO a template type (col. 5, lines 53-55) and each rule is associated 
with a particular vulnerability ID which can be numerical or a name and that 
security engineers need to know what types of attack signatures to look for, 
how to look for them, and how to respond to an identified attack in 
vulnerability/ intrusion detection systems (col.l, lines 49-53). Thus, Flowers 
suggests the use of signatures in intrusion detection and that signatures 
(application- specific intrusion) are well-known in the prior art of vulnerability 
intrusion detection systems. Naccache is combined with Flowers to include the 
limitation "to examine a set of instructions". Naccache discloses the invention for 
monitoring the progress in execution of a series of instructions of a computer program to 
analyze and verify each of the instructions has indeed been loaded or executed to the 
processor (col. 3, lines 50-62 and col. 8, lines 53-67). The monitoring device can be 
integrated into a programmed device which contains the program to be monitored or 
into a device for executing a program to be monitored (col. 6, lines 28-31). Hence, it 
would have been obvious combine Flowers with Naccache so as to monitor intrusion 
and abnormal behavior by obtaining identifiable data in each instruction set executed to 
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verify the result of the analysis (of the instruction sets) with the reference data recorded 
in the program (Naccache - col. 3, lines 50-62 and col. 8, lines 53-67). 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 21, 22, 24-28, and 31-51 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Flowers (US 6,957,348), and further in view of Naccache (US 

7,168,065). 

As per claim 21: 

Flowers discloses a system comprising: 
a network; and (col.3, lines 55-57) 

one or more machines coupled with the network, each machine comprising a 
communication interface and a memory including an execution area configured to 
perform operations (col.3, lines 18-23 and col.13, lines 40-45) to examine a set of 
instructions embodying an invoked application to identify the invoked application (col.3, 
lines 49-54 and col.7, lines 13-20), obtain application-specific intrusion criteria, the 
application-specific intrusion criteria including intrusion signatures and behavior criteria 
(col.6, lines 47-54 and col.8, lines 21-25), and monitor network communications for 
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the invoked application for application-specific intrusion signatures and abnormal 
application behavior to detect an intrusion, (col. 3, lines 45-62 and col.4, lines 4-15) 

Although, Flowers discloses operations to examine and monitor invoked 
applications but did not clearly discuss to examine a set of instructions. 

Naccache discloses the invention for monitoring the progress in execution of a 
series of instructions of a computer program to analyze and verify each of the 
instructions has indeed been loaded or executed to the processor (col. 3, lines 50-62 
and col. 8, lines 53-67). The monitoring device can be integrated into a programmed 
device which contains the program to be monitored or into a device for executing a 
program to be monitored (col. 6, lines 28-31). 

Therefore, it would have been obvious for a person of ordinary skills in the art to 
combine the teachings of Flowers with Naccache to examine a set of instructions 
embodying an invoked application to identify an invoked application because to monitor 
intrusion and abnormal behavior by obtaining identifiable data in each instruction set 
executed to verify the result of the analysis (of the instruction sets) with the reference 
data recorded in the program (Naccache - col. 3, lines 50-62 and col. 8, lines 53-67). 
As per claim 22: See Flowers on col. 12, lines 50-57 and Naccache on col. 13, lines 
15-31 ; discussing the application-specific intrusion criteria comprises a normal 
communication behavior threshold. 

As per claim 24: See Flowers on col.3, lines 45-62 and col.4, lines 4-15; discussing 
to monitor network communications comprises monitoring network communications in a 
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network intrusion detection system component running in an execution context with the 
invoked application. 

As per claim 25: See Flowers on col. 3, lines 25-30 and 50-55 and Naccache on 
col. 10, lines 15-23; discussing the operations further comprise to provide an application- 
specific remedy for a detected intrusion. 

As per claim 26: See Flowers on col.3, lines 50-55 and Naccache on col. 7, lines 30- 
35; discussing to provide an application-specific remedy comprises cutting at least a 
portion of the network communications for the invoked application. 
As per claim 27: See Flowers on col.3, lines 40-55 and col.4, lines 1-30; discloses 
the system of claim 24 wherein each machine further comprises a local repository and a 
security operation center, the security operation center includes a repository, and 
wherein to obtain the application specific intrusion criteria comprises to: request the 
application-specific intrusion criteria from a local repository; request the application- 
specific intrusion criteria from the master repository if the application-specific intrusion 
criteria is unavailable in the local repository; receive the application-specific intrusion 
criteria from the master repository if requested; and receive the application-specific 
intrusion criteria from the local repository. 

As per claim 28: See Naccache on col.9, lines 37-67; discussing the system of claim 
24 wherein to examine the set of instructions comprises: apply a hash function to the 
set of instructions to generate a condensed representation; and compare the 
condensed representation with existing condensed representations for known 
applications. 
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As per claim 31: 

Flowers discloses a detection method, comprising: 

examining a set of instructions embodying an invoked application to identify the 
invoked application; (col.3, lines 49-54 and col.7, lines 13-20) 

obtaining application-specific intrusion criteria, the application-specific intrusion 
criteria including application-specific intrusion signatures and behavior criteria; and 
(col.6, lines 47-54 and col.8, lines 21-25) 

monitoring network communications for the invoked application for application- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 
(col.3, lines 45-62 and col.4, lines 4-15) 

Although, Flowers discloses operations to examine and monitor invoked 
applications but did not clearly discuss to examine a set of instructions. 

Naccache discloses the invention for monitoring the progress in execution of a 
series of instructions of a computer program to analyze and verify each of the 
instructions has indeed been loaded or executed to the processor (col.3, lines 50-62 
and col.8, lines 53-67). The monitoring device can be integrated into a programmed 
device which contains the program to be monitored or into a device for executing a 
program to be monitored (col.6, lines 28-31). 

Therefore, it would have been obvious for a person of ordinary skills in the art to 
combine the teachings of Flowers with Naccache to examine a set of instructions 
embodying an invoked application to identify an invoked application because to monitor 
intrusion and abnormal behavior by obtaining identifiable data in each instruction set 
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executed to verify the result of the analysis (of the instruction sets) with the reference 
data recorded in the program (Naccache - col. 3, lines 50-62 and col. 8, lines 53-67). 
As per claim 32: See Naccache on col.9, lines 37-67; discussing the method of claim 
31, wherein examining a set of instructions embodying an invoked application to identify 
the invoked application comprises: applying a hash function to the set of instructions to 
generate a condensed representation; and comparing the condensed representation 
with existing condensed representations for known applications. 
As per claim 33: See Flowers on col. 6, lines 47-54 and col. 8, lines 21-25; discussing 
the method of claim 31 , wherein network communications are monitored for application- 
specific intrusion signatures that correspond to the identified invoked application. 
As per claim 34: See Flowers on col.3, lines 50-55 and Naccache on col. 7, lines 30- 
35; discussing the method of claim 31 , further comprising unloading the application- 
specific intrusion signatures corresponding to the identified invoked application when 
the identified invoked application is terminated. 

As per claim 35: See Flowers on Flowers on col. 12, lines 50-57 and Naccache on 
col. 13, lines 15-31; discussing the method of claim 31, further comprising tracking one 
or more characteristics of the network communications to identify application-specific 
abnormal communication behavior. 

As per claim 36: See Flowers on col. 12, lines 50-57 and Naccache on col. 13, lines 
15-31 ; discussing the method of claim 35, wherein tracking one or more characteristics 
of the network communications comprises comparing the one or more characteristics 
with one or more configurable thresholds. 
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As per claim 37: See Flowers on col.3, lines 45-62 and col.4, lines 4-15; discussing 
the method of claim 35, wherein monitoring network communications comprises 
monitoring network communications in a network intrusion detection system component 
invoked with the invoked application. 

As per claim 38: See Flowers on col.7, lines 1 1-26; discussing the method of claim 
37, wherein the network intrusion detection system component and the invoked 
application run within a single execution context. 

As per claim 39: See Flowers on col.3, lines 25-30 and 50-55 and Naccache on 
col. 10, lines 15-23; discussing the method of claim 31, further comprising operations to 
provide an application-specific remedy for a detected intrusion. 
As per claim 40: See Flowers on col.3, lines 45-55 and Naccache on col. 10, lines 
15-23; discussing the method of claim 39, wherein operations to provide an application- 
specific remedy for a detected intrusion comprises cutting at least a portion of the 
network communications for the invoked application and/or notifying a system 
administrator of the identified application-specific abnormal communication behavior. 
As per claim 41 : See Flowers col. 6, lines 47-54 and col. 8, lines 21-25; discussing 
the method of claim 31 , wherein obtaining the application-specific intrusion detection 
signature comprises loading the application-specific intrusion detection signature from a 
local signature repository. 

As per claim 42: See Flowers on col.3, lines 40-55 and col.4, lines 1-30; discussing 
the method of claim 31, wherein obtaining the application-specific intrusion detection 
signature comprises: requesting the application-specific intrusion detection signature 
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from a local signature repository in communication with a remote signature repository; 
and receiving the application-specific intrusion detection signature from the local 
signature repository. 
As per claim 43: 

Flowers discloses the machine-readable storage medium embodying machine 
instructions for causing one or more processors to perform operations comprising: 

examining a set of instructions embodying an invoked application to identify the 
invoked application; (col.3, lines 49-54 and col.7, lines 13-20) 

obtaining application-specific intrusion criteria, the application-specific intrusion 
criteria including application-specific intrusion signatures and behavior criteria; and 
(col. 6, lines 47-54 and col.8, lines 21-25) 

monitoring network communications for the invoked application for application- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 
(col.3, lines 45-62 and col.4, lines 4-15) 

Although, Flowers discloses operations to examine and monitor invoked 
applications but did not clearly discuss to examine a set of instructions. 

Naccache discloses the invention for monitoring the progress in execution of a 
series of instructions of a computer program to analyze and verify each of the 
instructions has indeed been loaded or executed to the processor (col.3, lines 50-62 
and col.8, lines 53-67). The monitoring device can be integrated into a programmed 
device which contains the program to be monitored or into a device for executing a 
program to be monitored (col. 6, lines 28-31). 
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Therefore, it would have been obvious for a person of ordinary skills in the art to 
combine the teachings of Flowers with Naccache to examine a set of instructions 
embodying an invoked application to identify an invoked application because to monitor 
intrusion and abnormal behavior by obtaining identifiable data in each instruction set 
executed to verify the result of the analysis (of the instruction sets) with the reference 
data recorded in the program (Naccache - col. 3, lines 50-62 and col. 8, lines 53-67). 
As per claim 44: See Naccache on col.9, lines 37-67; discussing the machine- 
readable storage medium of claim 43, wherein examining a set of instructions 
embodying an invoked application to identify the invoked application comprises: 
applying a hash function to the set of instructions to generate a condensed 
representation; and comparing the condensed representation with existing condensed 
representations for known applications. 

As per claim 45: See Flowers col. 6, lines 47-54 and col. 8, lines 21-25; discussing 
the machine-readable storage medium of claim 43, wherein network communications 
are monitored for application-specific intrusion signatures that correspond to the 
identified invoked application. 

As per claim 46: See Flowers on col.3, lines 50-55 and Naccache on col. 7, lines 30- 
35; discussing the machine-readable storage medium of claim 43, further comprising 
unloading the application-specific intrusion signatures corresponding to the identified 
invoked application when the identified invoked application is terminated. 
As per claim 47: See Flowers on col. 12, lines 50-57 and Naccache on col. 13, lines 
15-31; discussing the machine-readable storage medium of claim 43, further comprising 
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tracking one or more characteristics of the network communications to identify 
application- specific abnormal communication behavior. 

As per claim 48: See Flowers on col.7, lines 11-26 and col. 12, lines 50-57 and 
Naccache on col. 13, lines 15-31; discussing the machine-readable storage medium of 
claim 47, wherein tracking one or more characteristics of the network communications 
comprises comparing the one or more characteristics with one or more configurable 
thresholds. 

As per claim 49: See Flowers on col. 3, lines 45-62 and col.4, lines 4-15; discussing 

the machine-readable storage medium of claim 47, wherein monitoring network 

communications comprises monitoring network communications in a network intrusion 

detection system component invoked with the invoked application. 

As per claim 50: See Flowers on col.7, lines 1 1-26; discussing the machine-readable 

storage medium of claim 49, wherein the network intrusion detection system component 

and the invoked application run within a single execution context. 

As per claim 51 : See Flowers on col.3, lines 45-55 and Naccache on col. 10, lines 

15-23; discussing the machine-readable storage medium of claim 43, further comprising 

operations to provide an application-specific remedy for a detected intrusion. 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Leynna T. Truvan whose telephone number is (571) 
272-3851. The examiner can normally be reached on Monday - Thursday (7:00 - 
5:00PM) and telework on Wednesday. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR 
only. For more information about the PAIR system, see http://pair-direct.uspto.gov. 
Should you have questions on access to the Private PAIR system, contact the 
Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like 
assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/L. T. T./ 

Examiner, Art Unit 2435 

/Kimyen Vu/ 
Supervisory Patent Examiner, Art Unit 2435 



